convert to flakes
Signed-off-by: Xe <me@christine.website>
This commit is contained in:
parent
e159fc7124
commit
a5daa4c297
74
flake.lock
generated
Normal file
74
flake.lock
generated
Normal file
@ -0,0 +1,74 @@
|
||||
{
|
||||
"nodes": {
|
||||
"flake-utils": {
|
||||
"locked": {
|
||||
"lastModified": 1638122382,
|
||||
"narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"naersk": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1639947939,
|
||||
"narHash": "sha256-pGsM8haJadVP80GFq4xhnSpNitYNQpaXk4cnA796Cso=",
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"rev": "2fc8ce9d3c025d59fee349c1f80be9785049d653",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "naersk",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1640418986,
|
||||
"narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1640418986,
|
||||
"narHash": "sha256-a8GGtxn2iL3WAkY5H+4E0s3Q7XJt6bTOvos9qqxT5OQ=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5c37ad87222cfc1ec36d6cd1364514a9efc2f7f2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"naersk": "naersk",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
144
flake.nix
Normal file
144
flake.nix
Normal file
@ -0,0 +1,144 @@
|
||||
{
|
||||
inputs = {
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
naersk.url = "github:nix-community/naersk";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, flake-utils, naersk }:
|
||||
flake-utils.lib.eachDefaultSystem (system:
|
||||
let
|
||||
pkgs = nixpkgs.legacyPackages."${system}";
|
||||
naersk-lib = naersk.lib."${system}";
|
||||
in rec {
|
||||
# `nix build`
|
||||
packages.printerfacts = naersk-lib.buildPackage {
|
||||
pname = "printerfacts";
|
||||
root = ./.;
|
||||
};
|
||||
defaultPackage = packages.printerfacts;
|
||||
|
||||
# `nix run`
|
||||
apps.printerfacts =
|
||||
flake-utils.lib.mkApp { drv = packages.printerfacts; };
|
||||
defaultApp = apps.printerfacts;
|
||||
|
||||
# `nix develop`
|
||||
devShell =
|
||||
pkgs.mkShell { nativeBuildInputs = with pkgs; [ rustc cargo ]; };
|
||||
|
||||
nixosModules.printerfacts = { config, lib, pkgs, ... }:
|
||||
with lib;
|
||||
let cfg = config.within.services.printerfacts;
|
||||
in {
|
||||
options.within.services.printerfacts = {
|
||||
enable = mkEnableOption "Activates the printerfacts server";
|
||||
useACME = mkEnableOption "Enables ACME for cert stuff";
|
||||
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "printerfacts.akua";
|
||||
example = "printerfacts.cetacean.club";
|
||||
description =
|
||||
"The domain name that nginx should check against for HTTP hostnames";
|
||||
};
|
||||
|
||||
sockPath = mkOption rec {
|
||||
type = types.str;
|
||||
default = "/srv/within/run/printerfacts.sock";
|
||||
example = default;
|
||||
description =
|
||||
"The unix domain socket that printerfacts should listen on";
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
users.users.printerfacts = {
|
||||
createHome = true;
|
||||
description = "tulpa.dev/cadey/printerfacts";
|
||||
isSystemUser = true;
|
||||
group = "within";
|
||||
home = "/srv/within/printerfacts";
|
||||
extraGroups = [ "keys" ];
|
||||
};
|
||||
|
||||
systemd.services.printerfacts = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
||||
serviceConfig = {
|
||||
User = "printerfacts";
|
||||
Group = "within";
|
||||
Restart = "on-failure";
|
||||
WorkingDirectory = "/srv/within/printerfacts";
|
||||
RestartSec = "30s";
|
||||
|
||||
# Security
|
||||
CapabilityBoundingSet = "";
|
||||
DeviceAllow = [ ];
|
||||
NoNewPrivileges = "true";
|
||||
ProtectControlGroups = "true";
|
||||
ProtectClock = "true";
|
||||
PrivateDevices = "true";
|
||||
PrivateUsers = "true";
|
||||
ProtectHome = "true";
|
||||
ProtectHostname = "true";
|
||||
ProtectKernelLogs = "true";
|
||||
ProtectKernelModules = "true";
|
||||
ProtectKernelTunables = "true";
|
||||
ProtectSystem = "true";
|
||||
ProtectProc = "invisible";
|
||||
RemoveIPC = "true";
|
||||
RestrictAddressFamilies = [ "~AF_NETLINK" ];
|
||||
RestrictNamespaces = [
|
||||
"CLONE_NEWCGROUP"
|
||||
"CLONE_NEWIPC"
|
||||
"CLONE_NEWNET"
|
||||
"CLONE_NEWNS"
|
||||
"CLONE_NEWPID"
|
||||
"CLONE_NEWUTS"
|
||||
"CLONE_NEWUSER"
|
||||
];
|
||||
RestrictSUIDSGID = "true";
|
||||
RestrictRealtime = "true";
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = [
|
||||
"~@reboot"
|
||||
"~@module"
|
||||
"~@mount"
|
||||
"~@swap"
|
||||
"~@resources"
|
||||
"~@cpu-emulation"
|
||||
"~@obsolete"
|
||||
"~@debug"
|
||||
"~@privileged"
|
||||
];
|
||||
UMask = "007";
|
||||
};
|
||||
|
||||
script = let site = pkgs.tulpa.dev.cadey.printerfacts;
|
||||
in ''
|
||||
export SOCKPATH=${cfg.sockPath}
|
||||
export DOMAIN=${toString cfg.domain}
|
||||
export RUST_LOG=info
|
||||
cd ${site}
|
||||
exec ${site}/bin/printerfacts
|
||||
'';
|
||||
};
|
||||
|
||||
services.cfdyndns =
|
||||
mkIf cfg.useACME { records = [ "${cfg.domain}" ]; };
|
||||
|
||||
services.nginx.virtualHosts."${cfg.domain}" = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://unix:${cfg.sockPath}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
forceSSL = cfg.useACME;
|
||||
useACMEHost = "cetacean.club";
|
||||
extraConfig = ''
|
||||
access_log /var/log/nginx/printerfacts.access.log;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
});
|
||||
}
|
Loading…
x
Reference in New Issue
Block a user